Twitter LinkedIn Share this page Facebook RSS


Employment & Labor Law BlogLegal updates, news, and commentary from the attorneys of Baker Sterchi Cowden & Rice LLC

An Ounce of Prevention is Worth a Pound of Cure: A Practical Guide to Reducing the Risk of a Data Breach

December 19, 2016

Most organizations collect and store personal or sensitive information about their clients and employees. Protecting sensitive or private information should be a priority for all organizations, regardless of their size.   Threats to information security arise from external and internal sources, and every organization must take a comprehensive approach to reduce the threat of a data breach.  In other words, strong passwords and secure networks alone are not a silver bullet.   

A common misconception is that data security issues mostly plague large corporations.  But studies show that smaller companies and organizations are targeted at least as often as larger corporations, because smaller companies may have less protection in place to defend against a data breach. 

Here are five effective and efficient steps that any company, large or small, can take to reduce the risk of a data breach:

  1. Access to confidential and sensitive information should be restricted: Limit access to sensitive data or protected information to those employees whose job function requires access to the information.

  1. Vendors must be screened: A vendor may have access to or handle an organization’s sensitive data as part of the service it provides.  The organization must ensure that the vendor: (a) has security measures in place to protect that data, and (b) is using the organization’s data for no other purpose than to provide the services for which the vendor was retained.

  1. Employee training and restrictions: Organizations should implement policies and practices to ensure data security, and train all employees, so they are aware of the organization’s rules and expectations.   For example, employees of each organization should be trained on:

    • the types of information considered sensitive or private;

    • correct procedures for storing and deleting sensitive information;

    • reporting of suspicious emails;

    • passwords (they should be strong, never duplicated, and changed frequently).

  1. Mobile Devices:  Organizations that permit employees to use personal mobile devices for business-related purposes should consider restricting the manner in which the devices are used to access the organization’s data.  For example, software can be downloaded on a personal mobile device which separates the business-related data from the personal data, and permits an organization to scrub the device remotely in the event the device is lost or stolen.

  1. Secure Networks and Encryption:  Organizations should encrypt sensitive or private data, utilize firewall protection in their networks, and ensure that Wi-Fi access is always secure and password-protected. 

Preventative measures may seem time-consuming and expensive to implement.  But a data breach could cost an organization millions of dollars in expenses and damages.  The cost an organization may incur in a data breach incident can be as high as several hundred dollars for each record that is compromised. Even the most prudent and conscientious of businesses cannot guarantee it will never fall victim to a data breach.  But an organization is always well advised to continuously monitor its potential vulnerabilities and implement measures to reduce the risk of a breach, especially as technology evolves.      

About Employment & Labor Law Blog

The BSCR Employment & Labor Law Blog examines topics and developments of interest to employers, Human Resources professionals, and others with an interest in recent legal developments concerning the workplace. This blog will focus on Missouri, Illinois and Kansas law, and on major developments under federal law, and at the EEOC and NLRB.  Learn more about the editor, David M. Eisenberg, and our Employment & Labor  practice.


The Employment & Labor Law Blog is made available by Baker Sterchi Cowden & Rice LLC for educational purposes only as well as to give you general information and a general understanding of the law, not to provide specific legal advice. Your use of this blog site alone creates no attorney client relationship between you and the firm.


Do not include confidential information in comments or other feedback or messages related to the Employment & Labor Law Blog, as these are neither confidential nor secure methods of communicating with attorneys. The Employment & Labor Law Blog should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.


For Important Legal Updates and Resources on the Coronavirus Click Here.